<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width">
<meta name="theme-color" content="#222"><meta name="generator" content="Hexo 7.3.0">

  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next-haha.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next-haha.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next-haha.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">



<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/7.0.0/css/all.min.css" integrity="sha256-VHqXKFhhMxcpubYf9xiWdCiojEbY9NexQ4jh8AxbvcM=" crossorigin="anonymous">
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/animate.css/3.1.1/animate.min.css" integrity="sha256-PR7ttpcvz8qrF57fur/yAx1qXMFJeJFiA6pSzWi0OIE=" crossorigin="anonymous">

<script class="next-config" data-name="main" type="application/json">{"hostname":"ming.theyan.gs","root":"/","images":"/images","scheme":"Pisces","darkmode":false,"version":"8.25.0","exturl":false,"sidebar":{"position":"left","width_expanded":320,"width_dual_column":240,"display":"post","padding":18,"offset":12},"hljswrap":true,"codeblock":{"theme":{"light":"default","dark":"stackoverflow-dark"},"prism":{"light":"prism","dark":"prism-dark"},"copy_button":{"enable":false,"style":null},"fold":{"enable":false,"height":500},"language":false},"bookmark":{"enable":true,"color":"#222","save":"auto"},"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"stickytabs":false,"motion":{"enable":true,"async":false,"duration":200,"transition":{"menu_item":"fadeInDown","post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"prism":false,"i18n":{"placeholder":"搜索...","empty":"没有找到任何搜索结果：${query}","hits_time":"找到 ${hits} 个搜索结果（用时 ${time} 毫秒）","hits":"找到 ${hits} 个搜索结果"},"path":"/search.xml","localsearch":{"enable":true,"top_n_per_article":1,"unescape":false,"preload":false,"trigger":"auto"}}</script><script src="/js/config.js" defer></script>

    <meta name="description" content="Why为什么要做服务器的集中认证（和统一权限管理）呢？简答之：当服务器数量呈几何级增长之后，为每台机器维护单独的用户系统已经成为了一个几乎不可能完成的任务（试想下为一万台服务器上的每个用户每三个月修改一次密码），虽然现在也可以通过类似于ansible之类的工具也可以比较容易地做到，但我们有更好的解决方案—-统一认证，这样，只需要在一个地方维护用户数据即可，这样简洁可靠的方案，肯定比ansible之">
<meta property="og:type" content="article">
<meta property="og:title" content="Linux下用户启用Windows AD做集中认证">
<meta property="og:url" content="https://ming.theyan.gs/2016/10/Linux%E4%B8%8B%E7%94%A8%E6%88%B7%E5%90%AF%E7%94%A8Windows-AD%E5%81%9A%E9%9B%86%E4%B8%AD%E8%AE%A4%E8%AF%81/index.html">
<meta property="og:site_name" content="运维烂笔头">
<meta property="og:description" content="Why为什么要做服务器的集中认证（和统一权限管理）呢？简答之：当服务器数量呈几何级增长之后，为每台机器维护单独的用户系统已经成为了一个几乎不可能完成的任务（试想下为一万台服务器上的每个用户每三个月修改一次密码），虽然现在也可以通过类似于ansible之类的工具也可以比较容易地做到，但我们有更好的解决方案—-统一认证，这样，只需要在一个地方维护用户数据即可，这样简洁可靠的方案，肯定比ansible之">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2016-10-06T06:22:35.000Z">
<meta property="article:modified_time" content="2019-04-04T23:47:07.007Z">
<meta property="article:author" content="老杨">
<meta property="article:tag" content="AD">
<meta property="article:tag" content="ldap">
<meta property="article:tag" content="sssd">
<meta property="article:tag" content="realm">
<meta property="article:tag" content="adcli">
<meta name="twitter:card" content="summary">


<link rel="canonical" href="https://ming.theyan.gs/2016/10/Linux%E4%B8%8B%E7%94%A8%E6%88%B7%E5%90%AF%E7%94%A8Windows-AD%E5%81%9A%E9%9B%86%E4%B8%AD%E8%AE%A4%E8%AF%81/">


<script class="next-config" data-name="page" type="application/json">{"sidebar":"","isHome":false,"isPost":true,"lang":"zh-CN","comments":true,"permalink":"https://ming.theyan.gs/2016/10/Linux%E4%B8%8B%E7%94%A8%E6%88%B7%E5%90%AF%E7%94%A8Windows-AD%E5%81%9A%E9%9B%86%E4%B8%AD%E8%AE%A4%E8%AF%81/index.html","path":"2016/10/Linux下用户启用Windows-AD做集中认证/index.html","title":"Linux下用户启用Windows AD做集中认证"}</script>

<script class="next-config" data-name="calendar" type="application/json">""</script>
<title>Linux下用户启用Windows AD做集中认证 | 运维烂笔头</title>
  
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-106574959-2"></script>
  <script class="next-config" data-name="google_analytics" type="application/json">{"tracking_id":"UA-106574959-2","only_pageview":false,"measure_protocol_api_secret":null}</script>
  <script src="/js/third-party/analytics/google-analytics.js" defer></script>

  <script src="/js/third-party/analytics/baidu-analytics.js" defer></script>
  <script async src="https://hm.baidu.com/hm.js?fdef9ded31bdb8b2dab08eddebdd5fed"></script>







  
  <script src="https://cdnjs.cloudflare.com/ajax/libs/animejs/3.2.1/anime.min.js" integrity="sha256-XL2inqUJaslATFnHdJOi9GfQ60on8Wx1C2H8DYiN1xY=" crossorigin="anonymous" defer></script>
<script src="/js/utils.js" defer></script><script src="/js/motion.js" defer></script><script src="/js/sidebar.js" defer></script><script src="/js/next-boot.js" defer></script><script src="/js/bookmark.js" defer></script>

  <script src="https://cdnjs.cloudflare.com/ajax/libs/hexo-generator-searchdb/1.5.0/search.js" integrity="sha256-xFC6PJ82SL9b3WkGjFavNiA9gm5z6UBxWPiu4CYjptg=" crossorigin="anonymous" defer></script>
<script src="/js/third-party/search/local-search.js" defer></script>







  




<!-- google adsense -->
<script data-ad-client="ca-pub-1045025618858716" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>

  <noscript>
    <link rel="stylesheet" href="/css/noscript.css">
  </noscript>
<link rel="alternate" href="/atom.xml" title="运维烂笔头" type="application/atom+xml">
</head>

<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
  <div class="headband"></div>

  <main class="main">
    <div class="column">
      <header class="header" itemscope itemtype="http://schema.org/WPHeader"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏" role="button">
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <i class="logo-line"></i>
      <p class="site-title">运维烂笔头</p>
      <i class="logo-line"></i>
    </a>
      <p class="site-subtitle" itemprop="description">一个 SA 老兵的工作日志</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger" aria-label="搜索" role="button">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>



<nav class="site-nav">
  <ul class="main-menu menu"><li class="menu-item menu-item-projects"><a href="/projects" rel="section"><i class="fa fa-code fa-fw"></i>projects</a></li><li class="menu-item menu-item-home"><a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a></li><li class="menu-item menu-item-about"><a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a></li><li class="menu-item menu-item-tags"><a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a></li><li class="menu-item menu-item-categories"><a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a></li><li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a></li><li class="menu-item menu-item-sitemap"><a href="/sitemap.xml" rel="section"><i class="fa fa-sitemap fa-fw"></i>站点地图</a></li><li class="menu-item menu-item-commonweal"><a href="/404/" rel="section"><i class="fa fa-heartbeat fa-fw"></i>公益 404</a></li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
      <div class="search-header">
        <span class="search-icon">
          <i class="fa fa-search"></i>
        </span>
        <div class="search-input-container">
          <input autocomplete="off" autocapitalize="off" maxlength="80"
                placeholder="搜索..." spellcheck="false"
                type="search" class="search-input">
        </div>
        <span class="popup-btn-close" role="button">
          <i class="fa fa-times-circle"></i>
        </span>
      </div>
      <div class="search-result-container">
        <div class="search-result-icon">
          <i class="fa fa-spinner fa-pulse fa-5x"></i>
        </div>
      </div>
    </div>
  </div>

</header>
        
  
  <aside class="sidebar">

    <div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
      <ul class="sidebar-nav">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <div class="sidebar-panel-container">
        <!--noindex-->
        <div class="post-toc-wrap sidebar-panel">
            <div class="post-toc animated"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#Why"><span class="nav-number">1.</span> <span class="nav-text">Why</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#How-to"><span class="nav-number">2.</span> <span class="nav-text">How to</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E8%83%8C%E6%99%AF%E7%8E%AF%E5%A2%83"><span class="nav-number">2.1.</span> <span class="nav-text">背景环境</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%85%B7%E4%BD%93%E9%83%A8%E7%BD%B2"><span class="nav-number">2.2.</span> <span class="nav-text">具体部署</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#CentOS-6-x"><span class="nav-number">2.2.1.</span> <span class="nav-text">CentOS 6.x</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#%E5%AE%89%E8%A3%85%E8%BD%AF%E4%BB%B6"><span class="nav-number">2.2.1.1.</span> <span class="nav-text">安装软件</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#%E4%BF%AE%E6%94%B9%E9%85%8D%E7%BD%AE"><span class="nav-number">2.2.1.2.</span> <span class="nav-text">修改配置</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#krb5-conf"><span class="nav-number">2.2.1.2.1.</span> <span class="nav-text">krb5.conf</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#sssd-conf"><span class="nav-number">2.2.1.2.2.</span> <span class="nav-text">sssd.conf</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#sudoer"><span class="nav-number">2.2.1.2.3.</span> <span class="nav-text">sudoer</span></a></li></ol></li><li class="nav-item nav-level-4"><a class="nav-link" href="#%E9%87%8D%E5%90%AF%E6%9C%8D%E5%8A%A1"><span class="nav-number">2.2.1.3.</span> <span class="nav-text">重启服务</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#%E7%BB%B4%E6%8A%A4%E5%91%BD%E4%BB%A4"><span class="nav-number">2.2.1.4.</span> <span class="nav-text">维护命令</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98"><span class="nav-number">2.2.1.5.</span> <span class="nav-text">常见问题</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#%E4%B8%8D%E8%83%BD%E5%8A%A0%E5%85%A5%E5%9F%9F"><span class="nav-number">2.2.1.5.1.</span> <span class="nav-text">不能加入域</span></a></li></ol></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#CentOS-7-x"><span class="nav-number">2.2.2.</span> <span class="nav-text">CentOS 7.x</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#%E5%AE%89%E8%A3%85%E8%BD%AF%E4%BB%B6-1"><span class="nav-number">2.2.2.1.</span> <span class="nav-text">安装软件</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#%E4%BF%AE%E6%94%B9%E9%85%8D%E7%BD%AE-1"><span class="nav-number">2.2.2.2.</span> <span class="nav-text">修改配置</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#sudoer-1"><span class="nav-number">2.2.2.2.1.</span> <span class="nav-text">sudoer</span></a></li><li class="nav-item nav-level-5"><a class="nav-link" href="#sssd-conf-1"><span class="nav-number">2.2.2.2.2.</span> <span class="nav-text">sssd.conf</span></a></li></ol></li><li class="nav-item nav-level-4"><a class="nav-link" href="#%E9%87%8D%E5%90%AF%E6%9C%8D%E5%8A%A1-1"><span class="nav-number">2.2.2.3.</span> <span class="nav-text">重启服务</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#%E7%BB%B4%E6%8A%A4%E5%91%BD%E4%BB%A4-1"><span class="nav-number">2.2.2.4.</span> <span class="nav-text">维护命令</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98-1"><span class="nav-number">2.2.2.5.</span> <span class="nav-text">常见问题</span></a><ol class="nav-child"><li class="nav-item nav-level-5"><a class="nav-link" href="#sssd%E4%B8%8D%E8%83%BD%E5%90%AF%E5%8A%A8"><span class="nav-number">2.2.2.5.1.</span> <span class="nav-text">sssd不能启动</span></a></li></ol></li></ol></li></ol></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#%E7%9B%B8%E5%85%B3%E9%93%BE%E6%8E%A5"><span class="nav-number">3.</span> <span class="nav-text">相关链接</span></a></li></ol></div>
        </div>
        <!--/noindex-->

        <div class="site-overview-wrap sidebar-panel">
          <div class="site-author animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">老杨</p>
  <div class="site-description" itemprop="description">好记性比不过烂笔头</div>
</div>
<div class="site-state-wrap animated">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
        <a href="/archives/">
          <span class="site-state-item-count">114</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
          <a href="/categories/">
        <span class="site-state-item-count">8</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
          <a href="/tags/">
        <span class="site-state-item-count">509</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author animated">
      <span class="links-of-author-item">
        <a href="https://github.com/haw-haw" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;haw-haw" rel="noopener me" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
      <span class="links-of-author-item">
        <a href="mailto:blog@theyan.gs" title="E-Mail → mailto:blog@theyan.gs" rel="noopener me" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
      </span>
      <span class="links-of-author-item">
        <a href="https://weibo.com/u/1494877243" title="Weibo → https:&#x2F;&#x2F;weibo.com&#x2F;u&#x2F;1494877243" rel="noopener me" target="_blank"><i class="fab fa-weibo fa-fw"></i>Weibo</a>
      </span>
      <span class="links-of-author-item">
        <a href="https://twitter.com/6fool" title="Twitter → https:&#x2F;&#x2F;twitter.com&#x2F;6fool" rel="noopener me" target="_blank"><i class="fab fa-twitter fa-fw"></i>Twitter</a>
      </span>
  </div>

        </div>
      </div>
    </div>

    
    <div class="sidebar-inner sidebar-blogroll">
      <div class="links-of-blogroll animated">
        <div class="links-of-blogroll-title"><i class="fa fa-globe fa-fw"></i>
          链接
        </div>
        <ul class="links-of-blogroll-list">
            <li class="links-of-blogroll-item">
              <a href="https://bad-pencil.github.io/" title="https:&#x2F;&#x2F;bad-pencil.github.io" rel="noopener" target="_blank">github 镜像站</a>
            </li>
            <li class="links-of-blogroll-item">
              <a href="https://hawhaw.gitee.io/" title="https:&#x2F;&#x2F;hawhaw.gitee.io" rel="noopener" target="_blank">gitee 镜像站</a>
            </li>
        </ul>
      </div>
    </div>
  </aside>


    </div>

    <div class="main-inner post posts-expand">


  


<div class="post-block">
  
  

  <article itemscope itemtype="http://schema.org/Article" class="post-content" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ming.theyan.gs/2016/10/Linux%E4%B8%8B%E7%94%A8%E6%88%B7%E5%90%AF%E7%94%A8Windows-AD%E5%81%9A%E9%9B%86%E4%B8%AD%E8%AE%A4%E8%AF%81/index.html">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="老杨">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="运维烂笔头">
      <meta itemprop="description" content="好记性比不过烂笔头">
    </span>

    <span hidden itemprop="post" itemscope itemtype="http://schema.org/CreativeWork">
      <meta itemprop="name" content="Linux下用户启用Windows AD做集中认证 | 运维烂笔头">
      <meta itemprop="description" content="">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          Linux下用户启用Windows AD做集中认证
        </h1>

        <div class="post-meta-container">
          <div class="post-meta">
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-calendar"></i>
      </span>
      <span class="post-meta-item-text">发表于</span>

      <time title="创建时间：2016-10-06 14:22:35" itemprop="dateCreated datePublished" datetime="2016-10-06T14:22:35+08:00">2016-10-06</time>
    </span>
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-calendar-check"></i>
      </span>
      <span class="post-meta-item-text">更新于</span>
      <time title="修改时间：2019-04-05 07:47:07" itemprop="dateModified" datetime="2019-04-05T07:47:07+08:00">2019-04-05</time>
    </span>

  
</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody"><h1 id="Why"><a href="#Why" class="headerlink" title="Why"></a>Why</h1><p>为什么要做服务器的集中认证（和统一权限管理）呢？简答之：当服务器数量呈几何级增长之后，为每台机器维护单独的用户系统已经成为了一个几乎不可能完成的任务（试想下为一万台服务器上的每个用户每三个月修改一次密码），虽然现在也可以通过类似于<strong>ansible</strong>之类的工具也可以比较容易地做到，但我们有更好的解决方案—-统一认证，这样，只需要在一个地方维护用户数据即可，这样简洁可靠的方案，肯定比<strong>ansible</strong>之类的方案更胜一筹呀。</p>
<a id="more"></a>
<h1 id="How-to"><a href="#How-to" class="headerlink" title="How to"></a>How to</h1><p>一句话；用<strong>sssd</strong>。不过<strong>sssd</strong>在这两个系统下都能跑，但这里为嘛把<strong>CentOS</strong> 6.x和7.x的系统分开讲呢？答案简单：由于<strong>CentOS</strong> 7.x下有<strong>realm</strong>从而使得配置巨简单而<strong>CentOS</strong> 6.x下没有<strong>realm</strong>（也不好编译使用，因为realm其依赖的某个软件包（<strong>glib2</strong>&gt;=2.36）版本很高，而且那是一个及其重要的核心软件包，<strong>CentOS</strong> 6.x不好强行升级到这个版本）所以导致两个版本的配置方法不一样。</p>
<h2 id="背景环境"><a href="#背景环境" class="headerlink" title="背景环境"></a>背景环境</h2><ul>
<li>xxx.corp: 是贵司Windows AD上的主域名</li>
<li>AD1.xxx.corp: 是贵司Windows AD上xxx.corp这个域的全局主域控制器</li>
<li>LoginNO: 是贵司AD域xxx.corp中一个组</li>
<li>Daha.Ma: 是贵司AD域xxx.corp中的一个普通用户</li>
<li>SudoNO: 是贵司AD域xxx.corp中一个组</li>
<li>admin.win: 是贵司AD域xxx.corp中的一个具有管理员权限的用户</li>
</ul>
<h2 id="具体部署"><a href="#具体部署" class="headerlink" title="具体部署"></a>具体部署</h2><h3 id="CentOS-6-x"><a href="#CentOS-6-x" class="headerlink" title="CentOS 6.x"></a>CentOS 6.x</h3><h4 id="安装软件"><a href="#安装软件" class="headerlink" title="安装软件"></a>安装软件</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">yum -y install sssd oddjob oddjob-mkhomedir \</span><br><span class="line">	adcli samba-common authconfig;</span><br><span class="line"><span class="comment"># 下面的"password"是域用户：hiwifi.win的密码</span></span><br><span class="line"><span class="built_in">echo</span> -n <span class="string">"password"</span> | \</span><br><span class="line">	adcli join xxx.corp \</span><br><span class="line">	-U admin.win \</span><br><span class="line">	--stdin-password;</span><br><span class="line">authconfig --enablesssd --enablesssdauth \</span><br><span class="line">	--enablemkhomedir --update;</span><br><span class="line">service messagebus start;</span><br><span class="line">chkconfig messagebus on;</span><br><span class="line"><span class="comment"># 如果不起oddjobd，用户ssh登录不能自动建立家目录</span></span><br><span class="line">service oddjobd start;</span><br><span class="line">chkconfig oddjobd on;</span><br><span class="line"><span class="comment"># 如果跑的有winbind，disable it</span></span><br><span class="line">service winbind stop;</span><br><span class="line">chkconfig winbind off;</span><br></pre></td></tr></table></figure>
<h4 id="修改配置"><a href="#修改配置" class="headerlink" title="修改配置"></a>修改配置</h4><h5 id="krb5-conf"><a href="#krb5-conf" class="headerlink" title="krb5.conf"></a>krb5.conf</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/krb5.conf</span><br></pre></td></tr></table></figure>
<p>使得看起来像这样：</p>
<figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="section">[logging]</span></span><br><span class="line"> default = FILE:/var/log/krb5libs.log</span><br><span class="line"> kdc = FILE:/var/log/krb5kdc.log</span><br><span class="line"> admin_server = FILE:/var/log/kadmind.log</span><br><span class="line"></span><br><span class="line"><span class="section">[libdefaults]</span></span><br><span class="line"> default_realm = xxx.corp</span><br><span class="line"> dns_lookup_realm = true</span><br><span class="line"> dns_lookup_kdc = true</span><br><span class="line"> ticket_lifetime = 24h</span><br><span class="line"> renew_lifetime = 7d</span><br><span class="line"> forwardable = true</span><br><span class="line"></span><br><span class="line"><span class="section">[realms]</span></span><br><span class="line"> xxx.corp = &#123;</span><br><span class="line">  kdc = AD1.xxx.corp</span><br><span class="line">  admin_server = AD1.xxx.corp</span><br><span class="line"> &#125;</span><br><span class="line"></span><br><span class="line"><span class="section">[domain_realm]</span></span><br><span class="line"> .example.com = xxx.corp</span><br><span class="line"> example.com = xxx.corp</span><br></pre></td></tr></table></figure>
<h5 id="sssd-conf"><a href="#sssd-conf" class="headerlink" title="sssd.conf"></a>sssd.conf</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/sssd/sssd.conf</span><br></pre></td></tr></table></figure>
<p>修改内容如下：</p>
<figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="section">[sssd]</span></span><br><span class="line"><span class="attr">services</span> = nss, pam, ssh, autofs</span><br><span class="line"><span class="attr">config_file_version</span> = <span class="number">2</span></span><br><span class="line"><span class="attr">domains</span> = xxx.corp</span><br><span class="line"></span><br><span class="line"><span class="section">[domain/xxx.corp]</span></span><br><span class="line"><span class="attr">id_provider</span> = ad</span><br><span class="line"><span class="attr">fallback_homedir</span> = /home/%u</span><br><span class="line"><span class="attr">shell_fallback</span> = /bin/bash</span><br><span class="line"><span class="attr">override_shell</span> = /bin/bash</span><br><span class="line"><span class="attr">default_shell</span> = /bin/bash</span><br><span class="line"><span class="attr">access_provider</span> = simple</span><br><span class="line"><span class="attr">simple_allow_groups</span> = Login<span class="literal">NO</span></span><br><span class="line"><span class="attr">simple_allow_users</span> = Daha.Ma</span><br></pre></td></tr></table></figure>
<h5 id="sudoer"><a href="#sudoer" class="headerlink" title="sudoer"></a>sudoer</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">visudo</span><br></pre></td></tr></table></figure>
<p>添加这么一句：</p>
<figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%SudoNO@xxx.corp   ALL=(ALL)       ALL</span><br></pre></td></tr></table></figure>
<p>现在的情况将是：</p>
<ul>
<li>除了<strong>LoginNO</strong>组和<strong>Daha.Ma</strong>以外其他域账号不能登录</li>
<li><strong>SudoNO</strong>组可以不用密码通过<strong>sudo</strong>执行任何命令</li>
</ul>
<h4 id="重启服务"><a href="#重启服务" class="headerlink" title="重启服务"></a>重启服务</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">chmod 600 /etc/sssd/sssd.conf;</span><br><span class="line">chown root:root /etc/sssd/sssd.conf;</span><br><span class="line">/etc/init.d/sssd restart;</span><br></pre></td></tr></table></figure>
<h4 id="维护命令"><a href="#维护命令" class="headerlink" title="维护命令"></a>维护命令</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">id Daha.Ma@xxx.corp; <span class="comment"># 从AD中获取域用户信息</span></span><br><span class="line">id Daha.Ma; <span class="comment"># 在/etc/sssh/sssd.conf中设置了use_fully_qualified_names为False的可以直接用</span></span><br><span class="line">adcli delete-computer --domain=xxx.corp -U admin.win ; <span class="comment"># 退出AD域</span></span><br></pre></td></tr></table></figure>
<h4 id="常见问题"><a href="#常见问题" class="headerlink" title="常见问题"></a>常见问题</h4><h5 id="不能加入域"><a href="#不能加入域" class="headerlink" title="不能加入域"></a>不能加入域</h5><p>当前面adcli join xxxxxx时如果出错：</p>
<blockquote>
<p>adcli: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)</p>
</blockquote>
<p>的话，请尝试修改/etc/krb5.conf，在[libdefaults]这个区块下加一句：</p>
<figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="attr">rdns</span> = <span class="literal">false</span></span><br></pre></td></tr></table></figure>
<p>然后重新再试，即可。</p>
<h3 id="CentOS-7-x"><a href="#CentOS-7-x" class="headerlink" title="CentOS 7.x"></a>CentOS 7.x</h3><h4 id="安装软件-1"><a href="#安装软件-1" class="headerlink" title="安装软件"></a>安装软件</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">yum -y install \</span><br><span class="line">	realmd \</span><br><span class="line">	sssd \</span><br><span class="line">	oddjob \</span><br><span class="line">	krb5-libs \</span><br><span class="line"> 	oddjob-mkhomedir \</span><br><span class="line"> 	adcli \</span><br><span class="line"> 	samba-common;</span><br><span class="line">realm join ad1.xxx.corp -U admin.win; <span class="comment"># 这里需要输入admin.win的密码</span></span><br><span class="line">realm permit -g LoginNO@xxx.corp; <span class="comment">#这里以允许LoginNO组为例</span></span><br></pre></td></tr></table></figure>
<h4 id="修改配置-1"><a href="#修改配置-1" class="headerlink" title="修改配置"></a>修改配置</h4><h5 id="sudoer-1"><a href="#sudoer-1" class="headerlink" title="sudoer"></a>sudoer</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">visudo</span><br></pre></td></tr></table></figure>
<p>添加这么一句：</p>
<figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%SudoNO@xxx.corp   ALL=(ALL)       ALL</span><br></pre></td></tr></table></figure>
<h5 id="sssd-conf-1"><a href="#sssd-conf-1" class="headerlink" title="sssd.conf"></a>sssd.conf</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vim /etc/sssd/sssd.conf</span><br></pre></td></tr></table></figure>
<p>修改两句如下：</p>
<figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="attr">use_fully_qualified_names</span> = <span class="literal">False</span></span><br><span class="line"><span class="attr">fallback_homedir</span> = /home/%u</span><br></pre></td></tr></table></figure>
<h4 id="重启服务-1"><a href="#重启服务-1" class="headerlink" title="重启服务"></a>重启服务</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">systemctl restart sssd;</span><br></pre></td></tr></table></figure>
<p>现在的情况是：</p>
<ul>
<li>除了<strong>LoginNO</strong>组以外其他域账号不能登录</li>
<li><strong>SudoNO</strong>组有不需要密码通过<strong>sudo</strong>执行所有命令的权限</li>
</ul>
<h4 id="维护命令-1"><a href="#维护命令-1" class="headerlink" title="维护命令"></a>维护命令</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">realm permit --withdraw -g LoginNO@xxx.corp; <span class="comment"># 取消LoginNO组的登录权限</span></span><br><span class="line">id Daha.Ma@xxx.corp; <span class="comment"># 从AD中获取域用户信息</span></span><br><span class="line">id Daha.Ma; <span class="comment"># 在/etc/sssh/sssd.conf中设置了use_fully_qualified_names为False的可以直接用</span></span><br><span class="line">realm leave ad1.xxx.corp; <span class="comment"># 退出AD域</span></span><br></pre></td></tr></table></figure>
<h4 id="常见问题-1"><a href="#常见问题-1" class="headerlink" title="常见问题"></a>常见问题</h4><h5 id="sssd不能启动"><a href="#sssd不能启动" class="headerlink" title="sssd不能启动"></a>sssd不能启动</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">systemctl start sssd</span><br></pre></td></tr></table></figure>
<p>时失败，看 log 文件：/var/log/sssd/sssd_xxx.corp.log 里有错误提示：</p>
<blockquote>
<p>[sssd[be[xxx.corp]]] [dp_module_open_lib] (0x0010): Unable to load module [ad] with path [/usr/lib64/sssd/libsss_ad.so]: /lib64/libsamba-credentials.so.0: symbol GSS_KRB5_CRED_NO_CI_FLAGS_X, version gssapi_krb5_2_MIT not defined in file libgssapi_krb5.so.2 with link time reference<br>[sssd[be[xxx.corp]]] [dp_target_init] (0x0010): Unable to load module ad<br>[sssd[be[xxx.corp]]] [be_process_init] (0x0010): Unable to setup data provider [1432158209]: Internal Error<br>[sssd[be[xxx.corp]]] [main] (0x0010): Could not initialize backend [1432158209]</p>
</blockquote>
<p>这里的问题是由于一个系统 bug：</p>
<p>samba-client-libs-4.4.4-12.el7_3.x86_64 对 krb5-libs 的依赖关系没正确设置导致的。</p>
<p>具体：</p>
<ol>
<li>sssd 包调用 sssd-ad 包来做跟 windows AD 之间的沟通</li>
<li>sssd-ad 依赖于包 samba-client-libs</li>
<li>samba-client-libs 又依赖于 krb5-libs</li>
<li>由于samba-client-libs 对 krb5-libs 的依赖关系不对，导致 yum install sssd 的时候没有升级正确的 krb5-libs 包，所以导致 sssd 起不来</li>
</ol>
<p>解决方法很简单，前面安装的那部分已经实现了，就是将 krb5-libs 写进 yum install 的包列表里，这样就会强制安装（升级）到最新的 krb5-libs</p>
<h1 id="相关链接"><a href="#相关链接" class="headerlink" title="相关链接"></a>相关链接</h1><ol>
<li><a href="https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server" target="_blank" rel="noopener">Configuring sssd to authenticate with a Windows 2008 or later Domain Server</a></li>
</ol>

    </div>

    
    
    

    <footer class="post-footer">
          <div class="reward-container">
  <div>请我一杯咖啡吧！</div>
  <button>
    赞赏
  </button>
  <div class="post-reward">
      <div>
        <img src="/images/wechat-reward.png" alt="老杨 微信">
        <span>微信</span>
      </div>
      <div>
        <img src="/images/alipay-reward.png" alt="老杨 支付宝">
        <span>支付宝</span>
      </div>

  </div>
</div>

          <div class="followme">
  <span>欢迎关注我的其它发布渠道</span>

  <div class="social-list">

      <div class="social-item">
          <a target="_blank" class="social-link" href="https://twitter.com/6fool">
            <span class="icon">
              <i class="fab fa-twitter"></i>
            </span>

            <span class="label">Twitter</span>
          </a>
      </div>

      <div class="social-item">
          <a target="_blank" class="social-link" href="/atom.xml">
            <span class="icon">
              <i class="fa fa-rss"></i>
            </span>

            <span class="label">RSS</span>
          </a>
      </div>
  </div>
</div>

          <div class="post-tags">
              <a href="/tags/AD/" rel="tag"># AD</a>
              <a href="/tags/ldap/" rel="tag"># ldap</a>
              <a href="/tags/sssd/" rel="tag"># sssd</a>
              <a href="/tags/realm/" rel="tag"># realm</a>
              <a href="/tags/adcli/" rel="tag"># adcli</a>
          </div>

        

          <div class="post-nav">
            <div class="post-nav-item">
                <a href="/2016/09/%E5%B0%8F%E5%9E%8B%E7%BD%91%E7%BB%9C%E7%A7%91%E5%AD%A6%E4%B8%8A%E7%BD%91%E6%96%B9%E6%A1%88%E4%B9%8Bipv6%E7%AF%87/index.html" rel="prev" title="小型网络科学上网方案之ipv6篇">
                  <i class="fa fa-angle-left"></i> 小型网络科学上网方案之ipv6篇
                </a>
            </div>
            <div class="post-nav-item">
                <a href="/2016/10/%E4%BB%8EGoDaddy%E8%BF%81%E5%87%BA%E5%9F%9F%E5%90%8D%E7%9A%84%E6%AD%A3%E7%A1%AE%E5%A7%BF%E5%8A%BF/index.html" rel="next" title="从GoDaddy迁出域名的正确姿势">
                  从GoDaddy迁出域名的正确姿势 <i class="fa fa-angle-right"></i>
                </a>
            </div>
          </div>
    </footer>
  </article>
</div>






</div>
  </main>

  <footer class="footer">
    <div class="footer-inner">

  <div class="copyright">
    &copy; 
    <span itemprop="copyrightYear">2025</span>
    <span class="with-love">
      <i class="fa fa-heart"></i>
    </span>
    <span class="author" itemprop="copyrightHolder">老杨</span>
  </div>
  <div class="powered-by">由 <a href="https://hexo.io/" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.js.org/pisces/" rel="noopener" target="_blank">NexT.Pisces</a> 强力驱动
  </div>

    </div>
  </footer>

  
  <div class="toggle sidebar-toggle" role="button">
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
  </div>
  <div class="sidebar-dimmer"></div>
  <div class="back-to-top" role="button" aria-label="返回顶部">
    <i class="fa fa-arrow-up fa-lg"></i>
    <span>0%</span>
  </div>
  <a role="button" class="book-mark-link book-mark-link-fixed"></a>

<noscript>
  <div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>

</body>
</html>
